Red Hat Knowledgebase

The following is one example of a collection of settings you can use in your /etc/samba/smb.conf file to create (enumerate) your domain's users and groups on your Samba server.

It is assumed that your Samba server is already properly joined to the domain and that the smb service already starts automatically on your system. Winbind cannot provide full and proper functionality if the server it runs on is not properly joined to the domain. This is true even if the server will never be used as a Samba file/print server and only winbind's functionality is desired.

Throughout this example, we will use an example domain name of MYDOMAIN.

Using settings like these below in the [global] section of your smb.conf will cause the winbind service to enumerate users and groups from the domain controller (DC) your Samba server is joined to. With the winbind service running, you will be able to use these user and group names on the server for things such as file and directory ownership, as well as share permissions in your smb.conf's share definitions.

#  WINBIND STUFF
   idmap uid = 15000-20000
   idmap gid = 15000-20000
   winbind enum groups = yes
   winbind enum users = yes
   winbind separator = +
   winbind use default domain = no
   template homedir = /homes/%D/%U
   template shell = /bin/bash

A brief explanation of some of these settings:

• idmap uid - the range of numeric uid's that winbind will use to enumerate domain users with on your system. You should select a range that does not conflict with uid numbers already in use on the system and also make sure not to assign users to uid numbers in this range after you start using winbind. Also, it's probably a good idea to not change the number range once you start using winbind, as it could cause file ownership or group ownership problems.
  
  
• idmap gid - the range of numeric gid's that winbind will use to enumerate domain groups on your system. The idmap uid cautions noted above apply here as well.
  
  
• winbind enum groups and winbind enum users - whether winbind should "create" the domain's groups/users on the system or not. Leave these both set to yes unless you want to turn the functionality off for some reason.
  
  
• winbind separator - the character winbind will use to separate the domain name from the user or group name. Using such a configuration will cause domain usernames to appear like this - "MYDOMAIN+username" and domain group names to appear like this - "MYDOMAIN+Domain Users" for example.
  
  
• The template homedir statement is used to generate the home directory path for domain users. The example given uses variable substitution and would cause winbind-enumerated users' home directories to appear as /homes/MYDOMAIN/username.

Note that if you wish certain (or all) domain users to have a home directory on the Samba server, you will have to create it for them. While the template homedir statement does control where Samba thinks the user's home directory will be, winbind will not actually create the user's home directory for you.

Next, you need to edit your /etc/nsswitch.conf file, so winbind can supplement your system users and groups with those from the domain. There are other articles in Red Hat Knowledgebase on this topic.

After editing your nsswitch.conf file, all that remains to be done is to restart the Samba service, configure the winbind service to start automatically in runlevels 3-5, and then actually start the winbind service.

Run these commands as root to configure winbind's start runlevels and start the service:

# chkconfig --level 345 winbind on

# service winbind start
Starting Winbind services:                                 [  OK  ]

You can test the basic user and group enumeration functionality of winbind with wbinfo and getent commands:

# wbinfo -u
MYDOMAIN+vince
MYDOMAIN+Administrator
MYDOMAIN+Guest

# wbinfo -g
MYDOMAIN+Domain Admins
MYDOMAIN+Domain Users
MYDOMAIN+Domain Guests

# getent group
quaggavty:x:102:
quagga:x:92:
radvd:x:75:
radiusd:x:95:
MYDOMAIN+Domain Admins:x:15008:MYDOMAIN+Administrator
MYDOMAIN+Domain Users:x:15009:
MYDOMAIN+Domain Guests:x:15010:MYDOMAIN+Guest

# getent passwd
radvd:x:75:75:radvd user:/:/sbin/nologin
radiusd:x:95:95:radiusd user:/:/bin/false
MYDOMAIN+vince:x:15001:15009:Vince:/homes/MYDOMAIN/vince:/bin/bash
MYDOMAIN+administrator:x:15009:15009:Administrator:/homes/MYDOMAIN/
   administrator:/bin/bash
MYDOMAIN+guest:x:15010:15009:Guest:/homes/MYDOMAIN/guest:/bin/bash

Note: The output of wbinfo and getent commands above were truncated for the sake of brevity.

As you can see, winbind adds the domain's users and groups to the real system users and groups that exist in /etc/passwd and /etc/group.

Cautions regarding use of winbind-enumerated group names

Many domain group names contain spaces. Be sure to enclose winbind-enumerated group names containing spaces with double-quotes when using these group names in chown commands, smb.conf share permissions, etc. An example:

 # chown :"MYDOMAIN+Domain Users" thisfile

The issue of domain group names containing spaces is a limiting factor with where you can use these group names on the system, since a lot of software will not read the entire group name, even with quotes around the entire group name.

Other combinations of winbind settings are also possible, but the settings shown work well together.

For further information on winbind, we would recommend the following sources of information:

• The Samba documentation contained in /usr/share/doc/samba-version/docs, on any Red Hat system with the base samba RPM installed. Complete illustrated reference manuals are provided in both PDF and HTML formats in this directory.
• The wbinfo man page, viewable by running the command man wbinfo.
• The smb.conf man page, viewable by running the command man smb.conf.